Updates ppl example (#1385)

* updates ppl example * updates ppl example
pomerium · May 7, 2024 · 4c0cb1f · 4c0cb1f
1 parent b88695c
commit 4c0cb1f
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/content/docs/capabilities/ppl.mdx b/content/docs/capabilities/ppl.mdx
@@ -27,17 +27,17 @@ allow:
  and:
  - domain:
  is: example.com
- - user:
- is: [email protected]
 deny:
  or:
- - user:
+ - email:
  is: [email protected]
- - user:
+ - email:
  is: [email protected]
 ```
 
-This policy will allow a user with an email address at `example.com` who **is also** `user`. It will deny `user2` **or** `user3`, regardless of their domain and group membership.
+This policy grants access only if the domain portion of a user's email address matches the specified value, `example.com`.
+
+It will deny access to users with a `[email protected]` **or** `[email protected]` email address.
 
 ## Rules
 
@@ -149,7 +149,7 @@ Entries marked with `*` denote criteria that are only available in the [Enterpri
 | \* `record` | variable | Allows policies to be extended using data from [external data sources](/docs/integrations) |
 | `reject` | Anything. Typically `true`. | Always returns false. The opposite of `accept`. |
 | \* `time_of_day` | [Time of Day Matcher] | Returns true if the time of the request (for the current day) matches the constraints. |
-| `user` | [String Matcher] | Returns true if the logged-in user's id matches the given value. |
+| `user` | [String Matcher] | Returns `true` if the logged-in user's ID matches the supplied value. (The actual value of the user ID claim depends on how the identity provider sets this value.) |
 
 Entries marked with `*` denote criteria that are only available in the [Enterprise Console](/docs/deploy/enterprise) PPL builder. All other entries are available in both Pomerium Core and Pomerium Enterprise.